Law: The Law of 1 June 2010 No. 2297-VI on Personal Data Protection (as amended) (only available in Ukrainian here) ('the Personal Data Protection Law')
Regulator: The Ukraine Parliamentary Commissioner for Human Rights ('the Commissioner')
Summary: Data protection in Ukraine is primarily governed by the Personal Data Protection Law, the Constitution of Ukraine, and additional legislation issued by the Commissioner, such as the Sample Order of Personal Data Processing (only available in Ukrainian here). The Personal Data Protection Law provides for data subject rights, obligations for data controllers, and general requirements for the processing of personal information, while the Commissioner's legislative acts address topics such as special risk data and supervision processes. In addition, the Commissioner often conducts audits to ensure compliance with data protection laws, and has notably investigated the electronic health care system.
On 25 October 2022 a draft law on Personal Data Protection (only available in Ukrainian here) was submitted to the Parliament of Ukraine following the rejection of the previous data protection bill from June 2021. The draft law provides, among other things, grounds for the processing of personal, sensitive, as well as biometric information; data subject rights; responsibilities for data controllers and operators, including the adoption of Privacy by Design and requirements for the security of processing and cross border data transfers, as well as the carrying out of Data Protection Impact Assessments.